Starwood Hotels and Resorts Worldwide, one of the most progressive adopters of an SOA strategy, concedes that it is having to map its own way forward in key areas such as defining operational management procedures, because there are no practical precedents.

Meanwhile, security concerns and escalating demands from business users are proving to be challenges for AAA Carolinas, the insurance and travel company, as it builds its own SOA-based platform to improve business integration and cut administrative overhead.

Starwood set out on an SOA strategy four years ago  initially basing its program on XML but subsequently standardizing on SOAP  as it looked to upgrade reservations, check-in, housekeeping and other operational systems.

The company, which owns a range of hotels including Sheratons, Westins and the W chain, is now in the final stages of shifting hundreds of applications that were previously split between a centralized mainframe and hotel-based systems onto an SOA platform. It has already moved a number of applications off the mainframe, including a rates-and-availability system and its customer loyalty program.

Israel del Rio, senior vice-president of technology solutions and architecture, describes the initiative as complex and feels that the company is closer to the leading edge in adoption than it originally expected. "My perception is that many companies are trying SOA, but it's limited  it's the way we were doing it two or three years ago, testing the water," he says. As a result, he points out that Starwood has few role models to copy as it attempts to put critical measures in place in areas such as operational governance.

He points out that compared to the more monolithic mainframe world, a federated SOA environment presents a number of challenges, with a single component failure causing ripple effects all the way downstream. "The mainframe industry has developed a lot of good tools. In SOA, the tools are still emerging," he says. Earlier this year, the company adopted Actional's SOA management suite, which it is now implementing to handle factors such as load balancing and policy application. It is also deploying Systinet's Registry for governance and lifecycle management, allowing different development groups to publish services and make them available to other teams. [Read more about how Starwood has tackled implementation challenges in Loosely Coupled's March 2006 report on Managing SOA Performance].

Ageing mainframe

Meanwhile AAA Carolinas, one of the largest units within the American Automobile Association, has recently overhauled its own system infrastructure. Its previous legacy set-up combined ageing mainframe technology, desktop applications and a large volume of manual systems. "It was just a manual nightmare", says Harry Johns, manager of insurance IT. "Everyone had to learn every system to use the whole process." As well as duplicating data entry in unconnected systems, it struggled to run reports or make information available to agents to handle real-time quotes.

The company has since upgraded its iSeries midrange system and implemented IBM's Websphere integration technologies, along with a document management system from iSeries specialist RJS Software that allows it to store insurance information electronically. Its strategy is to expand the volume of web services it uses over time, replacing hard-wired integration and in some cases linking together systems for the first time.

The company is now able to use web services to link its 1.5 million customer records with data on insurance policies, which are held in multiple offices and were previously paper-based. That allows it to cross-reference information and cross-sell to its existing customers. In addition, it is setting up a credit card system that will connect to clearing houses via web services to process transactions; those same services will be deployed when the company builds a front-end system to allow agents or customers to make payments online. By linking together disparate systems, the company is able to populate multiple systems with one set of data and so eliminate re-entry.

Security challenge

Johns foresees a number of challenges, however, as the company exposes its systems to agents and customers. "Security is the biggest challenge," he says. "Because we're providing external access into our system, we have to be very specific about what we want to present and give access to." The company expects to go live before the end of the year with the first phase of the project, allowing customers to enquire about their account and make payments. The next stage will give customers the capability to make changes to their accounts directly, such as entering a request to add a vehicle to an insurance policy. Longer-term, the aim is to build both an information and transactional resource where people can get a quote and automatically process it.

For now, some of the security requirements are being met by giving customers access only to less sensitive information, such as outstanding bills or the status of their policy. In addition, rather than accessing the iSeries direct, data will be held on a server outside the firewall  a more secure option, but one that has significant implications in terms of managing a high volume of data traffic.

A second challenge Johns' team faces is catering for ever-growing demands from business users. At the outset of the project, he says, business users set a minimum functionality threshold. Now, as they look to replicate capabilities found on other sites, there is pressure to provide a greater volume of information, give customers access to more data and better track visitor behavior.